Deploying Transit VPC for Amazon Web Services

Information About Deploying Transit VPC

This is a summary about the deploying the three main components of the transit VPC design. To follow the detailed procedures, go to Launching a Transit VPC Hub.

Launching a Transit VPC Hub

The first procedure deploys the transit VPC, which acts as the central hub for traffic flowing to other destinations (other VPCs or remote networks). The transit VPC hub hosts two Cisco CSR 1000v instances, which allow for VPN termination and routing.

This procedure creates a spoke VPC, which connects to the transit VPC hub through dynamically routed VPN connections. The VPN connections of spoke VPCs allow the spoke VPCs to use routing and failover capabilities to maintain highly available network connections.

Dynamic Multipoint VPN (DMVPN) is a combination of GRE, NHRP, and IPsec. After the launch of the transit VPC stack launch has completed (see Launching a Transit VPC Hub), you can launch DMVPN using an AWS CloudFormation one-click template, which connects the transit VPC network to a private DMVPN hub. The transit VPC hub is treated as a DMVPN spoke.

Under the "License Included" model, you can choose to have an "hourly" license. If you have an issue with an hourly license you first contact AWS and then AWS contacts Cisco (depending upon the severity of the issue).

Procedure

Step 1

Enter parameter values into the AWS CloudFormation "transit-vpc-template", such as those shown in the table: "Parameters for Launching a Transit VPC".

Table 1 Parameters for Launching a Transit VPC

Parameter

Description

Stack name

Name of this transit VPC or "stack".

CSR Throughput Requirements

Required throughput for the CSR 1000v instance. This determines the instance type to be launched.

Default: 2 x 500 Mbps

SSH Key to access CSR

Public/private key pair which allows a secure connection to be made to a CSR 1000v instance after it has launched.

You must enter a public/private key pair. (The key pair was created in your preferred region at the time when the AWS account was created.)

Text string to be used as a prefix when Amazon S3 objects are created.

Default: vpnconfigs/

Additional AWS Account ID

Account ID of an AWS account to be associated with the transit network, which allows access to the S3 bucket and AWS KMS customer master key.

Note

You can only enter one additional AWS account ID in this field. If you want to connect more than one additional AWS account to the transit network, you must manually configure permissions for the additional accounts.

Transit VPC CIDR Block

CIDR block for the transit VPC. Modify the VPC and subnet CIDR address ranges to avoid collisions with your network.

Review and confirm the settings. Note: Check the checkbox that acknowledges the template will create an AWS Identity and Access Management (IAM) resources.

Step 5

Click Create to deploy the stack.

Step 6

To view the status of the stack, look at the Status column in the AWS Cloud Formation console. If the deployment is successful, a status of "CREATE_COMPLETE" appears after a period of approximately five minutes.

If High Availability is enabled, two Cisco CSR 1000v instances are created rather than one. These two Cisco CSR 1000v's run in high availability mode. (Additional costs apply.)

Values:

NO—creates a single spoke Cisco CSR 1000v VPC.

YES—creates a two spoke Cisco CSR 1000v VPC, for high availability.

Default: YES

Creates CSRs in a single availability Zone

Determines whether to create EC2 instances in one availability zone.

Default: "No"

Prefix for S3 Objects

Text string to be used as a prefix when Amazon S3 objects are created.

Default: vpnconfigs/

Transit VPC S3 Bucket

Name of the S3 bucket of the existing transit VPC hub, to which the spoke VPC will be connected.

Transit Prefer Path

Name of the preferred Cisco CSR 1000v instance to use for the active/passive paths through the transit network. Choose one of three options: NONE, CSR1, and CSR2.

Default: NONE

Use existing VPC

Drop-down menu from which to choose an existing VPC as the the spoke VPC.

SendAnonymousData

Indicates whether to send anonymous data about the usage of this spoke VPC to Amazon Web Services. AWS uses the data to better understand how this transit VPC design is working and achieve costs savings for customers. If you do not want to send them this anonymous data, select "No".

Review and confirm the settings. Note: You must check the checkbox that acknowledges the template will create resources for AWS Identity and Access Management (IAM).

Step 5

Click Create to deploy the stack.

Step 6

To view the status of the stack, look at the Status of each stack in the AWS Cloud Formation console. A status of "CREATE_COMPLETE" should appear for a stack after a period of approximately five minutes.

Example:The following example shows the AWS Cloud Formation console after launching DMVPN. The DMVPN, spoke and transit VPC stacks all show a status of "CREATE_COMPLETE".